Router-host logging

ABSTRACT

According to a general aspect, a method includes receiving, at a network interface device at a user location, a request from a first machine located at the user location, the request including a first-machine identifier and a request to access through the network interface device a first location on a network. The method also includes logging, at the network interface device, the request from the first machine into a first-machine log for requests from the first machine, the logging into the first-machine log being based on the first-machine identifier. The method also includes receiving at the network interface device a request from a second machine located at the user location, the request from the second machine including a second-machine identifier and a request to access through the network interface device a second location on the network, and the network interface device, the first machine, and the second machine being located at a user location. The method further includes logging, at the network interface device, the request from the second machine into a second-machine log for all requests from the second machine, the logging into the second-machine log being based on the second-machine identifier.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims the benefit of priorityof U.S. patent application Ser. No. 11/395,540, filed Apr. 3, 2006 (nowU.S. Pat. No. 9,438,683), which claims priority to U.S. ProvisionalApplication No. 60/758,986, filed Jan. 17, 2006, U.S. ProvisionalApplication No. 60/686,420, filed Jun. 2, 2005, and U.S. ProvisionalApplication No. 60/667,664, filed Apr. 4, 2005. The disclosures of theabove-referenced applications are expressly incorporated herein byreference to their entireties.

TECHNICAL FIELD

This disclosure relates, in part, to logging network communications.

BACKGROUND

Users may access content from a network, such as the Internet. Invarious systems, users make requests for content, using for example abrowser. Systems are available to log these user requests, and providethe log to one or more interested parties. In addition to logging therequests from the users, the requests may also be screened to determineif the content that is requested is suitable for the user. If thecontent is deemed not to be suitable for the user, then the content maybe blocked.

SUMMARY

According to a general aspect, a method includes receiving, at a networkinterface device at a user location, a request from a first machinelocated at the user location, the request including a first-machineidentifier and a request to access through the network interface devicea first location on a network. The method also includes logging, at thenetwork interface device, the request from the first machine into afirst-machine log for requests from the first machine, the logging intothe first-machine log being based on the first-machine identifier. Themethod also includes receiving at the network interface device a requestfrom a second machine located at the user location, the request from thesecond machine including a second-machine identifier and a request toaccess through the network interface device a second location on thenetwork, and the network interface device, the first machine, and thesecond machine being located at a user location. The method furtherincludes logging, at the network interface device, the request from thesecond machine into a second-machine log for all requests from thesecond machine, the logging into the second machine log being based onthe second-machine identifier.

According to another general aspect, a method includes establishing aconnection between a network interface device and a first networkservice provider having network access control rules. The method furtherincludes receiving, at the network interface device, a request from amachine to access a second network service provider through the networkinterface device, the second network service provider being differentfrom the first network service provider. The method further includesproviding, by the network interface device, access between the machineand the second network service provider through the network interfacedevice. The method further includes accessing, by the network interfacedevice, a network access control rule from the first network serviceprovider that governs service provided to the machine from any networkservice provider. The method also includes applying, by the networkinterface device, the network access control rule to the machine whilethe machine is connected with the second network service provider, tolimit the service provided to the machine from the second networkservice provider.

According to another general aspect, a method includes receiving, at anetwork interface device at a user location, a request from a firstmachine located at the user location, the request including afirst-machine identifier and a request to access through the networkinterface device a first location on a network. The method also includesaccessing a first-machine network access rule. The method also includesdetermining, based on the accessed first-machine network access rule,whether to grant the first machine access to the first location on thenetwork. The method further includes receiving at the network interfacedevice a request from a second machine located at the user location, therequest from the second machine including a second-machine identifierand a request to access through the network interface device a secondlocation on the network, and the network interface device, the firstmachine, and the second machine being located at a user location. Themethod also includes accessing a second-machine network access rule. Themethod further includes determining, based on the accessedsecond-machine network access rule, whether to grant the second machineaccess to the second location on the network.

Implementations of the above general aspects may include one or more ofa variety of features, such as those described elsewhere in thisdisclosure. Further, the claims that are listed at the end of thisdisclosure are to be considered as part of the specification for allpurposes. Accordingly, the content of the claims is included in thespecification for all purposes.

The various aspects, implementations, and features may be implemented ina variety of manners, even if only described herein in, for example, asingle manner. The various aspects, implementations, and features may beimplemented using, for example, one or more of: a method; an apparatus;an apparatus for performing a method; a program or other set ofinstructions for performing one or more aspects, implementations, orfeatures; an apparatus that includes a program or other set ofinstructions; a computer readable medium; or a propagated signal. Thecomputer readable medium or propagated signal may include; for example,instructions, software, and other data. The various aspects,implementations; and features may also include additional components,such as, for example, a computer, a router, a server, or a peripheraldevice.

The details of one or more implementations are set forth in theaccompanying drawings and the description below. Other features will beapparent from the description and drawings, and from the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 illustrates an exemplary system configured to provide networkaccess control and logging.

FIG. 2 illustrates an exemplary process for registering a networkinterface device.

FIG. 3 illustrates an exemplary process for organizing a networkinterface access request.

FIG. 4 illustrates an exemplary process for organizing an access requestlog report.

FIG. 5 A illustrates an exemplary graphic user interface for configuringcontrols.

FIG. 5B illustrates an exemplary graphic user interface for configuringcontrols.

FIG. 6A illustrates an exemplary log report of access requests.

FIG. 6B illustrates an exemplary log report of access requests.

FIG. 6C illustrates an exemplary log report of access requests.

FIG. 7 illustrates an exemplary process for providing network accesscontrol and togging.

FIG. 8 illustrates an exemplary process for providing network accesscontrol and logging.

DETAILED DESCRIPTION

In one implementation, a system includes multiple computers in a homethat are connected to a router that is also in the home. The computersaccess the Internet through the router, and the router keeps a log ofInternet activity for each of the computers. The router uploads the logon a regular basis to a host computer on the Internet, and the hostcomputer makes the logs available to an authorized viewer in one or moreof a variety of useful formats that are configurable by the authorizedviewer. The router also controls access to the Internet for each of thecomputers by applying access rules to determine whether to grant or todeny access to any particular Internet site that is requested at one ofthe computers. The access rules may be varied based on the computer orthe user that is using the computer.

Referring to FIG. 1, system 100 is shown to be configured to providenetwork communication. System 100 includes several clients 104 coupledto a network interface device 110 that is coupled to a network 112. Thenetwork 112 also is coupled to a host 114 and servers 116. The host 114may be configured to provide network access rules and the servers 116may be configured to provide content for a user of client 104. Thedashed lines in FIG. 1 indicate optional connections.

A client 104 may include devices with which the user interacts in orderto send a request to access a network location. For example, a client104 may be a personal computer, laptop, cell phone, or personal dataassistant. A client 104 also, or alternatively, may include anapplication, a piece of software, or a set of instructions, with whichthe user interacts in order to send a request to access a networklocation. Multiple clients 104 may all be co-located in one building,home, or other user location.

A client 104 may be configured to communicate with the network interfacedevice 110 through various methods, such as wireless networking orEthernet cable. The network interface device 110 may include, forexample, a router, and it may be utilized to link multiple clients 104to the network 112. The network 112 may include, for example, theInternet, and servers 116, and the host 114 may include devicesconnected to the Internet.

In one implementation, system 100 is configured to provide Internetaccess for one or more of the clients 104. The host 114 provides networkaccess rules (or simply access rules) that result in the networkinterface device 110 granting or denying a request, received through thenetwork 112 from a user of a client 104, to access resources hosted ator available through servers 116. The access rules are stored on thehost 114 and may be transferred to the network interface device 110.Access rules on the host 114 may be accessed for all requests. In otherimplementations, access rules on the host 114 are accessed only for somerequests.

Note that the access rules may be static rules that are created once andnot changed. Alternatively, the access rules may be rules that are (1)updated regularly, (2) updated automatically using, for example, newvotes/ratings that are received from users, and/or (3) updatedautomatically using, for example, various forms of artificialintelligence.

Referring to FIG. 2, a process 200 involves a network interface deviceestablishing an initial connection with a host. Process 200 focuses, inpart, on establishing a connection between the network interface deviceand the host because later figures provide additional detail toillustrate aspects of the network interface device performing a varietyof services while in communication with the host.

The process 200 may be used in conjunction with the system 100 of FIG. 1and, accordingly, the discussion below and FIG. 2 itself describe theprocess 200 in the context of the system 100. However, other systems maybe used.

Moreover, implementations of the process 200 may be performed, forexample, only one time at the initial configuration of the networkinterface device 110 (as indicated in the description below of theprocess 200), or each time the network interface device 110 is poweredon. Implementations of the process 200 may be initiated, for example, bya request for content from the client 104 (as indicated in FIG. 2), orby a self-initiated request for connection or configuration by thenetwork interface device 110. The following therefore describes oneexemplary implementation of a process for establishing an initialconnection with a host.

Process 200 includes the client 104 sending a request for content to thehost 114 through the network interface device 110 (205). The request,also referred to as an initiation request, is intended to establishinitial communications between the client 104 and the host 114, andserves as a useful vehicle for prompting the network interface device110 to establish an initial connection with the host 114 and performconfiguration procedures. The initiation request may be sent, forexample, automatically when the client 104 is turned on or may be sentas a result of the user manually launching a software program on theclient 104. The initiation request contains an identifier of the client104 such as, for example, a media access control or internet protocoladdress.

The initiation request is received by the network interface device 110which then directs the client 104 to the host 114 and sends to the host114 identification parameters of the network interface device 110 (210).The identification parameters may be, for example, a media accesscontrol (i.e., MAC) or IP (Internet Protocol) address. Theidentification parameters allow the host 114 to identify the networkinterface device 110 and allow the host 114 to store a profile for thenetwork interface device 110.

The host 114 receives the identification parameters (215) andauthenticates the user (220). Authenticating the user (220) may beconducted automatically or it may require user input, such as a passwordor login number. A notice of authentication, which may optionallyinclude a reservation number, is generated and then sent to the networkinterface device 110. The reservation number also is associated with thenetwork interface device 110.

Upon receipt of the authentication (225), the network interface device110 sends a register function call to the host 114 (230). The registerfunction call may include the reservation number as well as a networkinterface device 110 identification number. The register function callis the mechanism by which the network interface device initiallyregisters with the host 114 so that the host 114 will be configured toreceive log reports and access rule requests from the network interfacedevice 110, as described in more detail below. Implementations may wait,as in the process 200, for user authentication to be complete beforesending a register function call, for security purposes. However, otherimplementations, for example, send a register function call withoutauthenticating a user.

In response to receiving the register function call (235), the host 114generates and sends a device token to the network interface device 110(240). The device token is generated based on some identifyinginformation for the network interface device 110, such as, for example,the identification parameters earlier received (see 215). By generatingthe device token based on stored information for the network interfacedevice 110, the host 114 is able to regenerate the device token asexplained with respect to FIG. 3 below.

The device token instructs the network interface device 110 to conduct agrant-or-deny procedure for each of the access requests generated by theclient 104. The network interface device 110 receives the device tokenand stores the device token locally on the network interface device 110(245). Optionally, an indication of connection between the networkinterface device 110 and the host 114 based on the device token may besent to the client 104 (250).

Establishing the initial connection of the network interface device 110may be conducted differently or not at all. For example, the process 200may be conducted automatically when the network interface device 110first establishes a connection to the network 112. In anotherimplementation, a user may initiate the process 200 by manuallyselecting initiation options on the client 104, in which case theselection options are later sent to the host 114 through the networkinterface device 110.

Various system configuration options may be configured by a user duringinitiation, such as during the authentication of the user (220), whichmay be interactive between the user and the host 114. The configurationoptions may allow the user to limit access through the network interfacedevice 110 to the host 114 or one or more servers 116, which representlocations accessible through the network 112. Such configuration optionsmay apply to all clients 104 connected to the network interface device110. The configuration options may allow access to be limited based on,for example, network locations, time of day, bandwidth, or content. Uponreceiving a request for content from a client 104, the network interfacedevice 110 may access the configuration options on the host 114 and makea decision to grant or deny access to the requested content.

Referring to FIG. 3, a process 300 includes a network interface device110 granting or denying an access request from a client 104. The process300 may be used in conjunction with the system 100 of FIG. 1, and thediscussion below and FIG. 3 itself describe the process 300 in thecontext of the system 100. However, other systems may be used.

Process 300 includes a client 104 sending a request to access networklocation #1 (305). The access request is generated when, for example,the user navigates to a website or launches a file sharing program. Theaccess request contains an identifier of the client 104 such as a MAC orIP address. The access request is sent to the network interface device110 which in turn sends a request to the host 114 to access networkaccess rules for the client 104 (310). The network access rules containinformation pertaining to a particular machine (the client 104) andenable a determination of a grant-or-deny decision.

In sending the request to access network access rules, the networkinterface device 110 includes its device token as well as someadditional descriptive information, such as, for example, theidentification parameters provided to the host 114 in the process 200.The host 114 receives the request for network access rules, includingthe device token and the additional descriptive information. The host114 then verifies the device token by generating the device token againbased on the additional descriptive information. In this way, thenetwork interface device 110 must have its device token as well as theparticular additional descriptive information in order to be recognizedand serviced by the host 114. The verification, by the host 114, of thedevice token provides a security measure that other implementations neednot provide or may provide in a different manner.

The host 114 accesses the access rules pertaining to the client 104(315). Using the accessed rules, the host 114 determines whether togrant or deny access to network location #1 to the client 104 (320).

If a decision to deny access is determined (320), instructions to denyclient 104 access to network location #1 are sent to the networkinterface device 110 (325). The instructions to deny access are commandsthat instruct the network interface device 110 not to deliver content atnetwork location #1. The network interface device 110 denies the client104 access (330) by, for example, canceling the request for access fromthe client 104, and generates a log of the request from the client 104to access network location #1 (335). An indication that access tonetwork location #1 has been denied is sent to, and received (340) by,the client 104 (340).

If a decision to grant access is determined (320), instructions to grantaccess to network location #1 are sent to, and received by (345), thenetwork interface device 110. The instructions to grant access arecommands that instruct the network interface device 110 to deliver thecontent at network location #1. The network interface device 110 grantsthe client 104 access (350) by, for example, approving the request, andgenerates a log of the request by the client 104 to access networklocation #1 (355). The request to access network location #1 is sent to,and received by, network location #1 (360). A reply, to the request toaccess, which includes content from location #1 116, is generated bynetwork location #1 and is sent to the network interface device 110(365). The reply from location #1 116 is received by the networkinterface device 110 (370) and is routed by the network interface device110 to the client 104 (375). The client 104 receives the reply to therequest (380).

The previous description is an example implementation of thegrant-or-deny process 300 and other or different operations may beincluded. For example, logging of the access requests may be performedby the host 114 and determining whether to grant-or-deny access may beperformed at the network interface device 110. Multiple clients 104 usedby different users may concurrently be involved in separategrant-or-deny processes 300 through the network interface device 110.

Referring to FIG. 4, a process 400 may be used for organizing an accessrequest log report. The process 400 may be used in conjunction with thesystem 100 of FIG. 1 and the discussion below, as well as FIG. 4 itself,describe the process 400 in the context of the system 100. However,other systems may be used. In one implementation, the process 400 iscarried out once per week. In other implementations, the process 400 iscarried out after every grant-or-deny decision is determined.

In process 400, a network interface device 110 provides a log ofrequests from the client 104 to the host 114 (405). The log of requestsfrom the client 104 includes data associated with the access requestsand the grant-or-deny decision accompanying each access request. The logtracks all requests from the client 104 regardless of which user mayhave been using the client 104.

The host 114 receives and compiles the log of requests (410). Compilingthe requests includes processing to simplify data such as, for example,combining access requests into a group associated with all accessrequests for a particular network location.

A report of the log of requests is generated by the host 114 (415). Thereport is provided to a user having the appropriate rights to view thereport (420). Such a user is referred to as a control user. The reportcontains information described in the compiled requests and may beprovided in various forms, such as, for example, in a webpage or anemail.

Implementations may perform the operation of providing the host 114 withlogs of requests (405) multiple times prior to the host 114 generating areport of the log of requests. For example, the network interface device110 may provide a log of requests for the client 104 to the host 114(405) after every request for content from the client 104, or every fewseconds so as, for example, not to unnecessarily consume bandwidth atcritical times. Further, the host 114 may receive the numerous logs, butonly generate the log of requests (415) once every twenty-four hours, orwhenever specifically requested by an authorized user. Note that thegenerated report may be provided automatically to an authorized user by,for example, the host 114 sending the report by e-mail automaticallyevery twenty-four hours.

The previous description is an example implementation of organizing anaccess request log report. Other, or different, operations may beincluded. For example, the compiling of requests (410) for the client104 and the generation of a report of the log of requests (415) maybeconducted at the network interface device 110 instead of the host 114.

Referring to FIG. 5a , a graphic user interface (GUI) 500 forconfiguring controls is illustrated. The GUI 500 may be an interface tocontrols on, for example, one or more of the host 114 or the networkinterface device 110. The GUI 500 may be used in connection with thesystem 100 of FIG. 1 and the discussion below describes the GUI 500 inthe context of the system 100. However, other systems may be used.

The GUI 500 includes edit instructions 505 and a client table 510. Theclient table 510 includes a computer name list 515, a category list 520,and a restriction decision list 525.

The edit instructions 505 include instructions pertaining to availablecontrol options and direct the user to available configuration optionsin the client table 510. The client table 510 describes the client 104profiles that are associated with the network interface device 110.

Client 104 profiles may be associated with the network interface device110 in various ways. For example, merely by entering a particular client104 profile in the GUI 500, the particular client 104 profile (as wellas the particular client 104) may be associated with the networkinterface device 110. Alternatively, or in addition, a particular client104 profile (or, in some implementations, the particular client 104) maybe associated with the network interface device 110 by having thenetwork interface device 110 automatically associate those clients 104that are in communication with the network interface device 110 toaccess content over the network 112. Alternatively, or in addition,consent from a particular client 104 may be required before associatingthe particular client 104 with the network interface device 110.

Note that the network interface device 110 may still apply access rules(and/or logging) to a client 104 that is not associated with the networkinterface device 110. For example, the network interface device 110 mayapply access rules from a profile designated for “non-associated clients104,” or may apply default access rules that may apply to any client 104(associated or not) for which a profile has not designated a specificcategory list 520 and/or a specific restriction decision list 525. Thenetwork interface device 110 also, or alternatively, may apply no accessrules and allow access to all requested content, or may allow no accessto any requested content. Further, the network interface device 110 mayapply access rules (and/or logging) to a client 104, whether associatedwith the network interface device 110 or not, regardless of whether theclient 104 has, for example, (1) received an Internet Protocol addressfrom the network address device 110 or (2) self-generated an InternetProtocol address.

The client table 510 displays the client profile that includes thecomputer name list 515, the category list 520, and the restrictiondecision list 525. The computer name list 515 lists the names of theclients 104. The category list 520 lists the assigned categories of useraccess level. The assigned category of user access level is associatedwith predetermined network access rules, as described below. Therestricted decision list 525 reflects whether a client 104 is grantedunrestricted access for all access requests.

The computer name list 515 shows that three devices (three clients 104)are controlled by the table 510 and are associated with the networkinterface device 110. The computer name list 515 includes an Office's PC530, a Mom's PC 535, and a Kid's PC 538. Office's PC 530 and Mom's PC535 both are listed as having the category list 520 entry of “general”540. Because both Office's PC 530 and Mom's PC 535 are associated withthe same category, the network access rules associated with both clientsare identical. The restricted decision for the general category 540 isunrestricted 550. All access requests will be granted for all users ofeither office's PC 530 or Mom's PC 535.

In contrast, however, Kid's PC 538 has a category of Young Teen 542 witha restricted decision list 525 of “No” 552. The “No” 552 indicates thatthe Kid's PC 538 is restricted, and the category of Young Teen 542indicates that content not suitable for a young teen will be blocked forall users on Kid's PC 538.

The previous description is an example implementation of the GUI 500 forconfiguring controls, and other or different features may be included.For example, other details may be included in the client table 510 suchas a numbered restriction level associated with a predetermined scale ofrestrictions.

Referring to FIG. 5b , a GUI 550 for configuring controls isillustrated. The GUI 550 may be used in conjunction with the system 100of FIG. 1 and the discussion below describes the GUI 550 in the contextof the system 100. However, other systems may be used.

The GUI 550 includes various access control options for a client 104,specifically the Kid's PC 538.

Included in the access control options are various options thatdetermine when, or how long, Internet access may be granted to a user ofclient 104. The options include (i) an option 555 to block all Internetaccess, which never allows an access request, (ii) an option 560 toallow Internet access by time of day which may grant an access requestduring predetermined times of specified days, (iii) an option 570 toallow Internet access on particular days only (Saturday and Sunday areshown in FIG. 5B), (iv) an option 575 to allow Internet access for aspecified amount of time each day (1 hour is shown in FIG. 5B), (v) anoption 580 to allow homework time, which may grant access requests from4 pm-8 pm to allow use of the Internet for homework, or may block accessrequests from 4 pm-8 pm so that a user will not be distracted fromhomework, (vi) an option 585 to allow unlimited access every day, and(vii) an option 590 to allow custom settings, which may grant accessrequests according to a combination of the above access control optionsand/or access control options other than those previously mentioned.

After selecting access control options, sub-options are displayed. Forexample, after selecting the option 560 to allow Internet access by timeof day, a chart 565 of days of the week and allowable access times isdisplayed. The chart 565 allows a user to select sub-options availablefor the access control options.

The previous description is an example implementation of the GUI 550 forconfiguring controls, and other or different access control options maybe included. For example, an option may allow access when the controluser is online using Kid's PC 538, thus providing an override of thestandard access rules. As another example, an option may block allclients 104 that do not have a profile, thus precluding an unidentifiedmachine from using the network interface device 110 to access content.

Referring to FIG. 6a , a log report of access requests 600 isillustrated. The log report of access requests 600 may be used inconjunction with the system 100 of FIG. 1 and the discussion belowdescribes the log report of access requests 600 in the context of thesystem 100. However, other systems may be used.

The log report of access requests 600 includes a log introduction 605, aclient options section 610, and a further information section 615. Thelog introduction 605 describes current log options such as theperiodicity of the report generation. The client options 610 includesoptions that are directed towards information in the log report ofaccess requests 600 that the user may choose to view. The furtherinformation section 615 includes other information deemed appropriate tothe log report 600. For example, the further information section 615 mayinclude notes and tips specific to information contained in the logreport 600.

The client options section 610 includes options that enable the user toview different types of information. The client options section 610relates to the client Kid's PC 538. The client options section 610includes a selection 612 to view sites visited by Kid's PC 538 duringthe selected duration of the log report of access requests 600. Theclient options section 610 also includes a selection 614 to setcontrols, allowing the user to set or change access control options forKid's PC 538.

The previous description is an example implementation of the log reportof access requests 600 for configuring controls, and other or differentaccess control options may be included. The report can be accessed in avariety of ways, such as by email or a webpage. The report can be sentperiodically or continuously as the access requests are received. Thelog report of access requests 600 may also show information pertainingto denied or granted access requests. The log report of access requests600 may include information pertaining to multiple clients 104 or may begenerated for each client 104.

Referring to FIG. 6b , a portion 620 of the log report of accessrequests is illustrated that shows sites visited by Kid's PC 538. Theportion 620 is displayed in response to an user selecting option 612 toview the sites visited by Kid's PC 538. The portion 620 includes aclient log 625. The client log 625 includes a number of visits, such as,for example, an entry 630 showing one visit to www.aolkids.com at 9:12pm. Each entry (e.g., entry 630) includes a frequency 635 showing thenumber of times a client 104 has accessed a particular URI, a time 635showing the time of day at which the client 104 accessed the particularURL, and a location 640 showing a URL for the web address of the networklocation accessed by the client 104.

The previous description is an example implementation of the portion 620showing sites visited. The portion 620 may display information formultiple clients 104 in separate client logs 625 or together as oneclient log 625. The information within the client log 625 may detail asummary of access requests such as the most frequently accessed sites orthe most mature sites. The portion 620 may also show informationpertaining to denied access requests.

Referring to FIG. 6c , a log report of access requests 650 for multipleclients is illustrated. The log report of access requests 650 may beused in conjunction with the system 100 of FIG. 1 and the discussionbelow describes the log report of access requests 650 in the context ofthe system 100. However, other systems may be used.

The log report of access requests 650 includes a multiple client log655. The multiple client log 655 includes a time feature 660 showing thetime of the first and last browsing of the web. The multiple client log655 also includes a list 665 of the top five websites visited, anindicator 670 of the number of mature sites viewed, and an option 675 toview full details of the browsing activity.

The time feature 660 indicates the time of the first access requestduring the time period of the log report of access requests 650 and thetime of the last access request during the time period of the log reportof access requests 650. The list 665 of the top five websites visitedindicates the five websites which had the most access requests generatedby the client 104 during the time period of the log report of accessrequests 650. The top five websites may be displayed, for example, inorder of most recently visited. The indicator 670 of the number ofmature sites viewed indicates the total number of access requests formature sites by the client 104 during the time period of the log reportof access requests 650. The option 675 to expand details enables a userto view further details included within the log report of accessrequests 650.

Implementation of the log report of access requests 650 may vary. Forexample, the log report of access requests 650 may also show informationpertaining to denied access requests.

Referring to FIG. 7, a process 700 is illustrated for providing networkaccess control and logging. The process 700 may be used in conjunctionwith the system 100 of FIG. 1 and the discussion below describes theprocess 700 in the context of the system 100. However, other systems maybe used.

In the process 700, a network interface device 110 at a user locationreceives (705) a request from a first machine 104 at the user location.The request may include a first-machine identifier and a request toaccess through the network interface device 110 a first location on anetwork. In one implementation, receiving the request (705) is analogousto receiving the request sent in operation 305 of process 300.

The network interface device 110 logs the request from the first-machine104 into a first-machine log for requests from the first machine (710).The log into the first-machine log is based on the first-machineidentifier. In one implementation, logging the request (710) isanalogous to operation 355 of process 300.

The network interface device 110 at the user location receives a requestfrom a second machine 104 at the user location (715). The requestincludes a second-machine identifier and a request to access through thenetwork interface device 110 a second location on the network. In oneimplementation, receiving the request (715) is analogous to operation705.

The network interface device 110 logs the request from thesecond-machine 104 into a second-machine log for requests from thesecond machine (720). The log into the second-machine log is based onthe second-machine identifier. In one implementation, logging therequest (720) is analogous to operation 355 of process 300.

The process 700 may, but need not, include performing access control.Analogously, implementations may perform a process that performs accesscontrol without logging, such as, for example, by performing the process400 without performing logging operations 335 or 355.

Referring to FIG. 8, a process 800 is illustrated for providing networkaccess control and logging. The process 800 may be used in conjunctionwith the system 100 of FIG. 1 and the discussion below describes theprocess 800 in the context of the system 100. However, other systems maybe used.

Process 800 includes establishing a connection between a networkinterface device 110 and a first network service provider (805). Thenetwork service provider includes network access control rules.

The network interface device 110 receives a request from a first machine104 to access a second network service provider through the networkinterface device 110 (810). The second network service provider isdifferent from the first network service provider.

Process 800 includes providing, through the network interface device100, access between the machine 104 and the second network serviceprovider (815). The network interface device 110 accesses a control rulefrom the first network services provider that governs service providedto the machine 104 from any network service provider (820). The networkinterface device 110 applies the access control rule to the machine 104while the machine 104 is connected with the second network serviceprovider in order to limit the service provided to the machine 104 fromthe second network service provider (825).

In one implementation of process 800, a client device connects to theInternet through a router at a user location. The client device requestscontent through an Internet Service Provider (ISP). The router, on theother hand, governs access based on rules and information stored with ahost computer that is remote and distinct from the ISP. Thus, twological connections are used—one between the client device and the ISP,and one between the router and the host.

Another example of an implementation according to process 800 involves ahome that includes a PC and a wireless router, in wireless communicationwith each other. The router connects to the Internet and providesaccess, for the PC, to content on the Internet. The access is typicallyprovided through a host, and the host also stores network access rulesthat are used to govern access to online content from any computer thatconnects to the Internet through the router. In practice, the users atthe PC would ordinarily log-in to the host, and access to the Internetwould be provided through the host. The router communicates with thehost to access the rules and determine, based on the rules, whether ornot to allow access to the requested content. In this scenario (otherscenarios and implementations may differ), the host provides access tothe Internet without screening, and relies on the router to do thescreening based on the access rules stored on the host. In this example,however, the router also is able to log and screen content requests froma computer that during its offline operation and during operations notinvolving the host.

For example, a father may set up the host account to block objectionablecontent for all users of the PC at home. However, a son's friend maycome over to the house with a laptop and use the wireless router toaccess the Internet through an Internet Service Provider (ISP) otherthan the host, such that the friend does not log-in to the host. In thiscase, the router still does communicate with the host to determine whataccess rules to apply to the presumably unrecognized laptop. The routeralso is able to apply those rules to the laptop even though the laptopdoes not use the host to get to the Internet. Accordingly, the routerlogs the friend's attempt to access objectionable content, and/or blocksthe friend's attempt to access objectionable content so that the contentis not delivered through the router to the laptop). Additionally, thefather can access a log report that will indicate the exact websitesthat the friend attempted to access, the number of times the friendattempted to access those websites, and the times of day at which theattempts were made.

Referring again to FIG. 1, other implementations of the system 100 mayprovide that the server 116 is accessible through the host 114, with orwithout being directly accessible from the network 112 without goingthrough the host 114.

Referring again to FIG. 3, other implementations of the process 300include storing the grant/deny decision for a particular networklocation so that subsequent requests from a user to access theparticular network location can be decided by accessing the storeddecision. Further implementations of FIG. 3 also provide a bypass optionso that the access rules for a given client are not applied to anauthorized user. For example, the client may provide on an Internetbrowser an option labeled “bypass” that, when selected, allows anauthorized user to enter a password. After the authorized user isverified, the network interface device no longer applies the normalaccess rules for that client but, rather, applies no rules at all orapplies another set of rules that applies to the authorized user.

Referring again to FIGS. 6a-c , other implementations may allow anauthorized user to tailor the log reports so that reports for eachclient have a different format, or reports for each user have adifferent format.

As is evident from the breadth of the disclosure; implementations,features, and techniques described herein, as well as variations orcombinations of them, may be implemented at least in part, for example,in an operating system or in a stand-alone application or utility,running on one or more of a variety of devices. Such devices mayinclude, for example, a personal computer, a server, a router, agateway, or a special-purpose computer or machine. A device also mayinclude, for example, discrete or integrated hardware, firmware, andsoftware. A device may include, for example, a processor, which refersto processing devices in general, including, for example, amicroprocessor, an integrated circuit, a programmable logic device, anda device containing a software application.

Such a device may be configured to perform one or more processes. Forexample, implementations may be embodied in a device that includes oneor more computer readable media having instructions for carrying out oneor more processes. The computer readable medium may include, forexample, a storage device such as, for example, a hard disk, a compactdiskette, a random access memory (“RAM”), and a read-only memory(“ROM”). A computer readable medium also may include, for example,formatted electromagnetic waves encoding or transmitting instructions.Instructions may be, for example, in hardware, firmware, software, andin an electromagnetic wave. Instructions may be found in, for example,an operating system, a separate application, or a combination of thetwo. A processor may be, for example, both a device configured to carryout a process and a device including computer readable media havinginstructions for carrying out a process.

A number of implementations have been described. Nevertheless, it willbe understood that various modifications may be made. For example,elements of different implementations may be combined, supplemented,modified, or removed to produce other implementations. Further, varioustechnologies may be used, combined, and modified to produce animplementation. Accordingly, other implementations are within the scopeof the following claims.

What is claimed is:
 1. A method comprising: receiving client optionscorresponding to at one least report, wherein the client optionscomprise of at least one or more options of: periodicity, set controls,and information pertaining to sites viewed; receiving, at a networkinterface device at a user location, a request from a first machinelocated at the user location, the request including a first-machineidentifier and a request to access through the network interface devicea first location on a network; logging, at the network interface device,the request from the first machine into a first-machine log for requestsfrom the first machine, the logging into the first-machine log beingbased on the first-machine identifier; receiving, at the networkinterface device, a request from a second machine located at the userlocation, the request from the second machine including a second-machineidentifier and a request to access through the network interface devicea second location on the network, where the network interface device,the first machine, and the second machine are located at a userlocation; receiving, at the network interface device, a second requestfrom the first-machine, the second request from the first-machineincluding the first-machine identifier and a request to access throughthe network interface device at a third location on the network;logging, at the network interface device, the request from the secondmachine into a second-machine log for requests from the second machine,the logging into the second-machine log being based on thesecond-machine identifier; accessing a first-machine network accessrules, wherein at least one access rule regulates how long access may begranted to the network; determining, based on the accessed first-machinenetwork access rule, whether to grant the first machine access to thefirst location on the network; accessing a second-machine network accessrule, wherein at least one access rule regulates what days access may begranted; determining, based on the accessed second-machine networkaccess rule, whether to grant the second machine access to the secondlocation on the network; and providing the first-machine log, thesecond-machine log, and the at least one report to a recipient devicebased on the client options.
 2. The method of claim 1 wherein receivingthe request from the second machine comprises receiving the request fromthe second machine while the network interface device is coupled to boththe first machine and the second machine.
 3. The method of claim 1further comprising: logging, at the network interface device, the secondrequest from the first machine into the first-machine log, the logginginto the first-machine log being based on the first-machine identifier;and wherein: the first request from the first machine is sent using afirst user identity that is logged in to a first account in a networkservice provider, and the second request from the first machine is sentusing a second user identity that is logged in to a second account inthe network service provider.
 4. The method of claim 3 furthercomprising: accessing a first-machine network access rule; determining,based on the accessed first-machine network access rule, whether togrant the first machine access to the first location on the network; anddetermining, based on the accessed first-machine network access rule,whether to grant the first machine access to the third location on thenetwork.
 5. The method of claim 1 further comprising: determining, basedon the first-machine identifier, that the first machine is associatedwith the network interface device; and determining, based on thesecond-machine identifier, that the second machine is not associatedwith the network interface device.
 6. The method of claim 1 wherein thesecond-machine network access rule provides that the second machine isprohibited from accessing the second location on the network based onthe determination that the second machine is not associated with thenetwork device.
 7. The method of claim 1, wherein the network interfacedevice includes a router.
 8. The method of claim 7 further comprisingreceiving at the network interface device a token from the recipientdevice, the token configured to verify the identity of the networkinterface device, and wherein providing the first-machine log to therecipient device further comprises transmitting a communication to therecipient device based on the token.
 9. The method of claim 1 whereinthe first-machine log includes multiple requests from the first machine,the second-machine log includes multiple requests from the secondmachine, and the method further comprises: providing the first-machinelog and the second-machine log to a recipient device; receiving at therecipient device settings from a control user associated with thenetwork interface device, wherein the settings include: first-machinereport compilation instructions specifying how to compile requests fromthe first machine in the first-machine log, and second-machine reportcompilation instructions specifying how to compile requests from thesecond machine in the second-machine log; compiling requests from thefirst-machine log according to the first-machine report compilationsettings; compiling requests from the second-machine log according tothe second-machine report compilation settings; generating at least onereport based on the compiled requests from the first-machine log and thecompiled requests from the second-machine log; and providing the atleast one report to the control user.
 10. The method of claim 9 whereinproviding the at least one report to the control user comprises sendingthe report to the control user in an email.
 11. The method of claim 9wherein providing the at least one report to the control user comprisesmaking the report accessible to the control user on a web page.
 12. Themethod of claim 9 wherein: the first-machine report compilationinstructions and the second-machine report compilation instructions aredifferent; generating at least one report comprises: generating a firstreport based on the compiled requests from the first-machine log, andgenerating a second report based on the compiled requests from thesecond-machine log; and providing the at least one report comprises:providing the first report to the control user, and providing the secondreport to the control user.
 13. The method of claim 1 wherein the loggedrequest from the first machine includes the time at which the firstrequest was received at the network interface device.
 14. The method ofclaim 1 further comprising, wherein the first-machine network accessrule and second machine access rule is associated with a categoryindicative of a predetermined user access level.
 15. The method of claim14 further comprising, wherein the predetermined user access level isassociated with predetermined network access rules.
 16. A systemcomprising: one or more processors; and a memory storing instructions,the instructions being executable by the one or more processors toperform operations comprising: receiving client options corresponding toat one least report, wherein the client options comprise of at least oneor more options of: periodicity, set controls, and informationpertaining to sites viewed; receiving a request from a first machine,the request including a first-machine identifier and a request to accessa first location on a network, and receiving a request from a secondmachine, the request including a second machine identifier and a requestto access a second location on the network, the first machine and thesecond machine being located at a user location; receiving, at thenetwork interface device, a second request from the first machine, thesecond request from the first machine including the first-machineidentifier and a request to access through the network interface deviceat a third location on the network; logging the request from the firstmachine into a first-machine log for requests from the first machine,the logging into the first-machine being based on the first-machineidentifier, logging the request from the second machine into asecond-machine log for requests from the second machine, the logginginto the second-machine being based on the second-machine identifier;accessing a first-machine network access rules, wherein at least oneaccess rule regulates how long access may be granted to the network;determining, based on the accessed first-machine network access rule,whether to grant the first machine access to the first location on thenetwork; accessing a second-machine network access rule, wherein atleast one access rule regulates what days access may be granted;determining, based on the accessed second-machine network access rule,whether to grant the second machine access to the second location on thenetwork; and providing the first-machine log, the second-machine log,and the at least one report to a recipient device based on the clientoptions.
 17. The system of claim 16 wherein: the receiving of therequest from the first machine, and the receiving of the request fromthe second machine, and the second portion of the apparatus comprises asecond portion of the computer readable medium having instructions forperforming: the logging of the request from the first machine into thefirst-machine log for requests from the first machine, and the loggingof the request from the second machine into a second-machine log forrequests from the second machine.
 18. The system of claim 16 furthercomprising: logging of the request from the first machine into thefirst-machine log for requests from the first machine, and the loggingof the request from the second machine into a second-machine log forrequests from the second machine.
 19. The system of claim 16 wherein thesystem is further configured for: accessing a first-machine networkaccess rule associated with a category indicative of a predetermineduser access level; determining, based on the accessed first-machinenetwork access rule, whether to grant the first machine access to thefirst location on the network; accessing a second-machine network accessrule associated with a category indicative of a predetermined useraccess level; and determining, based on the accessed second-machinenetwork access rule, whether to grant the second machine access to thesecond location on the network.